Survey: IT departments are losing cloud security battle

Survey: IT departments are losing cloud security battle

Share

Government IT professionals aren’t the only ones having trouble keeping up with the security demands that come with the adoption of cloud computing.

A study released earlier this week by the Ponemon Institute finds that IT professionals are having trouble managing data stored on the cloud, are often kept in the dark on or can’t identify who is responsible for data security and do not have worthwhile security measures in place for data at rest.

The study, which surveyed more than 1,800 IT professionals around the world, found that while a majority (78 percent) expect their organization’s use of cloud to increase over the next two years, most (71 percent) believe that protecting sensitive data on the cloud is harder and more complex than protection measures on conventional data centers.

Survey respondents pointed to a number of different reasons for why data management on the cloud has been so hard, including IT systems or solutions that have been put in place without going through the proper channels, better known as “shadow IT.”

A chart that shows what IT professionals believe to be the hardest part of dealing with security in the cloud. (Courtesy of the Ponemon Institute)

According the survey, half of all cloud services are deployed and 44 percent of data stored in the cloud is managed by departments outside of IT. As a result, only 19 percent of respondents say they have a complete picture of their organization’s cloud applications, platforms or infrastructure services.

Regardless of whether IT professionals have a good outlook on their cloud profiles, there seems to be growing concerns about who is responsible for security and what measures need to be taken to protect data.

Survey respondents were divided on which entity is responsible for cloud security: Thirty-two percent claimed it’s the cloud provider’s responsibility, 33 percent said the cloud user, and 35 percent said it was a shared responsibility.

A chart that shows IT professionals have mixed feelings on which entity should be responsible for cloud security. (Courtesy of the Ponemon Institute)

While the majority of respondents said security measures will become more important over the next two years, only 36 percent of respondents said their organization uses encryption or tokenization for data at rest, with only 28 percent saying they encrypt data directly within cloud applications.

“While the cloud has revolutionized the way IT is delivered, many IT organizations are finding it difficult to keep up with demand for these services and the security implications that are created when critical data is stored in the cloud,” said Tsion Gonen, chief strategy officer for SafeNet, which sponsored the study. “As we’ve seen in 2014 with a raft of record-breaking data breaches, organizations are attacked frequently from different angles. In order to mitigate risk, there needs to be focused coordination and new approaches to securing data in the cloud, and IT needs to be at the center of this migration.”

The study makes a number of recommendations for streaming the security process, including increased transparency and clearly defined roles on who is accountable for data protection, better visibility of cloud usage within organizations and “bring your own encryption” tools that will allow organizations to store keys across multiple cloud environments.

Todd Moore, SafeNet’s vice president of encryption, said companies — especially those that work with the government — should take the lead on data security when it comes to working on the cloud. He said one of the best ways to do this is through customer ownership of encryption keys.

“Even though a cloud provider may provide data encryption, it’s important to maintain control of your encryption keys, so that data is unreadable without the company permission or knowledge,” Moore told FedScoop. “If a cloud provider doesn’t offer encryption, then the company should be encrypting before sending to the cloud. Taking control of your critical data protection reduces risk.”